0

我正在尝试使用 Spring Security SAML 实现 SSO,但是在从 SOAP 断言响应中解密密钥时发生错误。
SOAP 响应:

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/>
   <soap:Body>
      <saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="ID-067d75bd-3193-4bd8-9852-44da67b015ce" InResponseTo="a590ga841bj851ii498bech5c29h377" IssueInstant="2021-09-29T07:23:59.439Z" Version="2.0" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:coi-naturalperson="http://coi.gov.pl/attributes/naturalperson" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" xmlns:eidas="http://eidas.europa.eu/saml-extensions" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:naturalperson="http://eidas.europa.eu/attributes/naturalperson" xmlns:ns13="http://coi.gov.pl/saml-extensions" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
         <saml2:Issuer>symulator.login.gov.pl</saml2:Issuer>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
               <ds:Reference URI="#ID-067d75bd-3193-4bd8-9852-44da67b015ce">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml2 saml2p xenc"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>...</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>...</ds:SignatureValue>
            <ds:KeyInfo>
               <ds:X509Data>
                  <ds:X509Certificate>...</ds:X509Certificate>
               </ds:X509Data>
            </ds:KeyInfo>
         </ds:Signature>
         <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
         </saml2p:Status>
         <saml2p:Response ID="ID-e15baf95-bfe2-4658-9ffe-097d84b636f3" InResponseTo="a4hj979di081ig2052572agg3f37h29" IssueInstant="2021-09-29T07:23:59.431Z" Version="2.0">
            <saml2:Issuer>symulator.login.gov.pl</saml2:Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
                  <ds:Reference URI="#ID-e15baf95-bfe2-4658-9ffe-097d84b636f3">
                     <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                           <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml2 saml2p xenc"/>
                        </ds:Transform>
                     </ds:Transforms>
                     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                     <ds:DigestValue>...</ds:DigestValue>
                  </ds:Reference>
               </ds:SignedInfo>
               <ds:SignatureValue>...</ds:SignatureValue>
               <ds:KeyInfo>
                  <ds:X509Data>
                     <ds:X509Certificate>...</ds:X509Certificate>
                  </ds:X509Data>
               </ds:KeyInfo>
            </ds:Signature>
            <saml2p:Status>
               <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
            </saml2p:Status>
            <saml2:EncryptedAssertion>
               <xenc:EncryptedData Id="_5ef019d753fd9b4faf52138cc8f4d9f0" Type="http://www.w3.org/2001/04/xmlenc#Element">
                  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm">
                     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  </xenc:EncryptionMethod>
                  <ds:KeyInfo>
                     <xenc:EncryptedKey Id="_6147c823d9f485f3716099ee5efecdac">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"/>
                        <ds:KeyInfo>
                           <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
                              <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
                                 <xenc11:ConcatKDFParams AlgorithmID="0000002A687474703A2F2F7777772E77332E6F72672F323030312F30342F786D6C656E63236B772D616573323536" PartyUInfo="0000001673796D756C61746F722E6C6F67696E2E676F762E706C" PartyVInfo="00000018776E696F73656B2E7572706C2D746573742E6E70632E706C">
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                 </xenc11:ConcatKDFParams>
                              </xenc11:KeyDerivationMethod>
                              <xenc:OriginatorKeyInfo>
                                 <ds:KeyValue>
                                    <dsig11:ECKeyValue>
                                       <dsig11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
                                       <dsig11:PublicKey>...</dsig11:PublicKey>
                                    </dsig11:ECKeyValue>
                                 </ds:KeyValue>
                              </xenc:OriginatorKeyInfo>
                           </xenc:AgreementMethod>
                        </ds:KeyInfo>
                        <xenc:CipherData>
                           <xenc:CipherValue>...</xenc:CipherValue>
                        </xenc:CipherData>
                     </xenc:EncryptedKey>
                  </ds:KeyInfo>
                  <xenc:CipherData>
                     <xenc:CipherValue>...</xenc:CipherValue>
                  </xenc:CipherData>
               </xenc:EncryptedData>
            </saml2:EncryptedAssertion>
         </saml2p:Response>
      </saml2p:ArtifactResponse>
   </soap:Body>
</soap:Envelope>

日志:

2021-09-29 09:24:13.356 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.algorithms.JCEMapper    : Request for URI http://www.w3.org/2009/xmlenc11#aes256-gcm
2021-09-29 09:24:13.356 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.encryption.XMLCipher    : JCE Key Algorithm: AES
2021-09-29 09:24:15.024 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.algorithms.JCEMapper    : Request for URI http://www.w3.org/2001/04/xmlenc#kw-aes256
2021-09-29 09:24:15.024 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.encryption.XMLCipher    : JCE Algorithm = AESWrap
2021-09-29 09:24:16.327 ERROR 3052 --- [ XNIO-2 task-29] org.opensaml.xml.encryption.Decrypter    : Error decrypting encrypted key

org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1495)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:708)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:639)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:794)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:235)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
    ...

环境:
Java 1.8 (291),在 Java 11 和 17 上尝试过,结果相同
Spring Boot 1.4.1
spring-security-saml2-core 1.0.10.RELEASE
opensaml-core 4.1.0

提供者:

  1. sun.security.provider.Sun sun.security.rsa.SunRsaSign
  2. sun.security.ec.SunEC com.sun.net.ssl.internal.ssl.Provider
  3. com.sun.crypto.provider.SunJCE sun.security.jgss.SunProvider
  4. com.sun.security.sasl.Provider
  5. org.jcp.xml.dsig.internal.dom.XMLDSigRI
  6. sun.security.smartcardio.SunPCSC
  7. org.bouncycastle.jce.provider.BouncyCastleProvider
  8. sun.security.mscapi.SunMSCAPI
4

0 回答 0